MSLRH V.031
Shell analysis
[Observation]: MSLRH V0.31 main program
[Tu]: Olydbg1.1 (DIY Version), Lordpe, ImportRec1.6F
[任务]: Analyze the shell
[Operation Platform]: WinXP SP2
[Author]: loveboom [dfcg] [fcg] [US]
[Related Links]: Look at the snow, find it
[Brief Description]: There is already a named brother, I will come and look at "Drama." The RDTSC of this shell is much a lot. So even if you want to see what is special.
[Detailed Procedure]:
Since the "garbage" of the shell is too much, I used to write a little script. I didn't use ollyscript to write, because the garbage script written by it sometimes makes the program abnormally, so I will write to the garbage plugin, write the following Code:
[Code_ml01]
S = 0f31500f31 ???????????????????????????????????????? 2b0424 ?????????????????? 83c404
R = 90909090909090909090909090909090909090909090909090909090909090909090909090909090909090
[Code_ml02]
S = 3DFF0F0000EB01 ?? EB02 ???? eb01 ?? 761beb01 ?? EB02 ???? EB01 ?? CC66B8FE00 ?????????????????? 66E764
R = 90909090909090909090909090909090909090909090909090909090909090909090909090909090909090 909 09 09 09 09 09 09 09 09 09 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 5
[Code_ml03]
S = e80a000000 ?? EB0C ???? e8f6ffffffe8f2ffffff83c408
R = 90909090909090909090909090909090909090909090909090
[Code_ml04]
S = 50E802000000 ???? 586bc0 ?? e802000000 ???? 83c40458
R = 90909090909090909090909090909090909090909090909090
[Code_ml05]
S = 74047502 ???? EB01??
R = 909090909090909090
[Code_ml06]
S = EB05 ?? EB0440 ?? EBFA
R = 909090909090909090
After writing, you can load the target with the OD.
00456000> $ 60 pushad; shell entrance
00456001. D1CB ROR EBX, 1; there are many garbage here, you can no matter what it
00456003. 0FCA BSWAP EDX
00456005. C1CA E0 ROR EDX, 0E0; Shift Constant Out of Range 1..31
......
004560FA> / E8 0A000000 Call 00456109; Directly here F4
004560ff. E8 EB0C0000 Call 00456DEF
00456104. E8 f6ffffffffff call 004560FF
00456109 $ E8 F2FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF CALL 00456100
......
0045615A> / 0F31 RDTSC; After arriving here, use the script "clean up", there is no "garbage" world really Qi Ji J
0045615c? 50 push eax
0045615D? 0f31 RDTSC
......
00456A98 0F31 RDTSC
00456A9A 50 Push EAX
00456A9B E8 00000000 Call 00456AA0
00456AA0 810424 6F130000 Add DWORD PTR SS: [ESP], 136F
00456AA7 64: FF35 0000000> Push DWORD PTR FS: [0]; Install SEH
00456AE 64: 8925 0000000> MOV DWORD PTR FS: [0], ESP; Note at 457E0F
......
0045745C 33c0 xor Eax, Eax; here is abnormal
0045745e 0fb600 Movzx Eax, Byte Ptr DS: [EAX]
00457461 66: B8 Fe00 MOV AX, 0FE
00457465 66: E7 64 OUT 64, AX; I / O Command
......
After the abnormality, Shit F9 to 457E0F, then continue to keep here:
004587B6 8B4424 0C MOV EAX, DWORD PTR SS: [ESP C]
004587ba 33c9 xor ECX, ECX
004587BC 3348 04 xor ECX, DWORD PTR DS: [EAX 4]; Clear related DRX breakpoint
004587BF 3348 08 xor ECX, DWORD PTR DS: [EAX 8]
004587C2 3348 0C XOR ECX, DWORD PTR DS: [EAX C]
004587c5 3348 10 xor ECX, DWORD PTR DS: [EAX 10]
004587C8 8B6424 08 MOV ESP, DWORD PTR SS: [ESP 8]
004587CC 64: 8F05 0000000> POP DWORD PTR FS: [0]
004587D3 83C4 04 Add ESP, 4
......
0045917D 0F31 RDTSC; after an abnormality, use RDTSC's way to reverse debugging
0045917F 2B0424 SUB EAX, DWORD PTR SS: [ESP]
00459182 83C4 04 Add ESP, 4
00459185 3D fffffff00 CMP EAX, 0FFFFF
0045918A 76 05 Jbe Short 00459191; This is a jump here, otherwise Over is
0045918C E9 F08E0000 JMP 0046208100459191 51 PUSH ECX
00459192 33c9 xor ECX, ECX
00459194 E8 000000 Call 00459199
00459199 5F POP EDI
0045919A 81C7 C4090000 Add EDI, 9C4
004591A0 5A POP EDX
004591A1 83C2 15 Add EDX, 15
004591A4 0FB60439 MOVZX EAX, Byte Ptr DS: [ECX EDI]; pass the value into Eax (starting from 459B5D)
004591A8 33C2 XOR EAX, EDX; Removing Value XOR 15
004591AA 880439 MOV BYTE PTR DS: [ECX EDI], AL; Decoupted value saved to related addresses
004591AD 41 INC ECX
004591AE 81F9 93000000 CMP ECX, 93; 93 to decrypt 93
004591B4 ^ 72 EE JB SHORT 004591A4; Jump to continue decryption if not decompressed
......
00459B5D 8B5C24 20 MOV EBX, DWORD PTR SS: [ESP 20]; ready to take Kernel Base
00459B61 66: BB 0000 MOV BX, 0
00459B65 0FB703 MOVZX EAX, Word PTR DS: [EBX]
00459B68 2D 4D5A0000 SUB EAX, 5A4D
00459B6D 74 08 Je Short 00459B77; If you find ODS heads, jump
00459B6F 81eb 00000100 SUB EBX, 10000; Unicode "AlluSprofile = D: / Documents and Settings / All Users"
00459B75 ^ EB EE JMP Short 00459B65
00459B77 8BFB MOV EDI, EBX
00459B79 037B 3C Add EDI, DWORD PTR DS: [EBX 3C]; Positioning PE header
00459B7C 83C7 78 Add EDI, 78
00459B7F 8B3F MOV EDI, DWORD PTR DS: [EDI]; Positioning Output
00459B81 03FB Add EDI, EBX
00459B83 57 Push EDI
00459B84 83C7 20 Add EDI, 20
00459B87 8B3F MOV EDI, DWORD PTR DS: [EDI]; Take AddressOfnames
00459B89 03FB Add EDI, EBX
00459b8b 33c0 xor Eax, EAX
00459B8D 40 Inc EAX
00459B8E 8B0F MOV ECX, DWORD PTR DS: [EDI]
00459B90 03CB Add ECX, EBX; positioning API
00459B92 83C7 04 Add EDI, 4
00459B95 8139 47657450 CMP DWORD PTR DS: [ECX], 50746547; Judging whether the first four digits of the API name is Getp
00459b9b ^ 75 f0 jnz short 00459b8d; if not jumped
00459B9D 8179 04 726F634> CMP DWORD PTR DS: [ECX 4], 41636F72; Judging whether it is Roca, here is the address of getProcAddress
00459ba4 ^ 75 E7 jnz short 00459b8d; continue to find if not found
00459BA6 6BC0 02 Imul Eax, Eax, 2
00459BA9 5F POP EDI
00459baa 57 Push EDI
00459BAB 83C7 24 Add EDI, 24
00459BAE 8B3F MOV EDI, DWORD PTR DS: [EDI]
00459BB0 03FB Add EDI, EBX; Locate AddressOfnameRDinal
00459BB2 03F8 Add EDI, EAX
00459BB4 66: 8B07 MOV AX, Word PTR DS: [EDI]
00459bb7 6bc0 04 Imul Eax, Eax, 4
00459BBA 5F POP EDI
00459bbb 83c7 1C Add EDI, 1C
00459bbe 8b3f Mov EDI, DWORD PTR DS: [EDI]; Locate Addressoffunctions
00459BC0 03FB Add EDI, EBX
00459BC2 03F8 Add Edi, EAX
00459BC4 8B7F FC MOV EDI, DWORD PTR DS: [EDI-4]; find the address of getProcAddress
00459BC7 03FB Add EDI, EBX; found address saved in EDI
00459BC9 803F CC CMP BYTE PTR DS: [EDI], 0CC; If I find the INT3 breakpoint in the API, it will abnormally
00459BCC 75 09 JNZ Short 00459BD7; if there is no tracking, jump
00459BCE 33C9 XOR ECX, ECX; do not jump over :-) 00459BD0 33ff XOR EDI, EDI
00459BD2 ^ E9 C1CEFFFF JMP 00456A98
00459BD7 E8 00000000 Call 00459BDC
00459BDC 58 POP EAX
00459BDD 2D EC3A0000 SUB EAX, 3AEC
00459Be2 B0 00 MOV Al, 0; EAX = 004560F0 positioning shell entrance
00459BE4 05 00200100 Add Eax, 12000
00459Be9 8BF0 MOV ESI, ES; EAX = 00468000
00459Beb 891e Mov DWORD PTR DS: [ESI], EBX; Kernel Base is saved at 468000
00459bed 897e 10 MOV DWORD PTR DS: [ESI 10], EDI; Save the address of getProcAddress to 468010
00459bf0 33c9 xor ECX, ECX
00459BF2 E8 00000000 Call 00459BF7
00459BF7 5F POP EDI
00459BF8 81C7 C4090000 Add EDI, 9C4; EDI = 0045A5BB
00459bfe 0fb60439 Movzx Eax, Byte Ptr DS: [ECX EDI]; ready to unope the start address of 0045A5BB, code size is 0c3f block
00459c02 83f0 15 XOR EAX, 15; Operation method is XOR 15
00459C05 880439 MOV BYTE PTR DS: [ECX EDI], Al; Unzip Code
00459c08 41 Inc ECX
00459c09 81f9 3F0C0000 CMP ECX, 0C3F
00459c0f ^ 72 ED JB Short 00459BFE; Continue to decompress without decompression
......
0045A5B8 0F31 RDTSC; here to take the address of the API is more interesting
0045A5BA 50 Push EAX
0045A5BB EB 13 JMP Short 0045A5D0; Jump to the address of OutputDebugstringA
0045A5BD 4F DEC EDI
0045A5BE 75 74 JNZ Short 0045A634
0045a5c0 70 75 Jo Short 0045A637
0045A5C2 74 44 Je Short 0045A6080045A5C4 65: 6275 67 Bound ESI, Qword PTR GS: [EBP 67]; Superfluous Prefix
0045A5C8 53 Push EBX
0045A5C9 74 72 JE SHORT 0045A63D
0045A5CB 696E 67 4100E80> Imul EBP, DWORD PTR DS: [ESI 67], 0E80041
0045A5D2 0000 Add byte PTR DS: [EAX], Al
0045A5D4 0083 2C2418FF Add byte PTR DS: [EBX FF18242C], Al
0045A5DA 36: FF56 10 Call DWORD PTR SS: [ESI 10]
0045A5DE 8946 14 MOV DWORD PTR DS: [ESI 14], EAX; The acquired address is saved to 468014
0045A5E1 EB 01 JMP Short 0045A5E4
0045A5E3 68 EB02CD20 PUSH 20CD02EB
0045A5E8 EB 01 JMP SHORT 0045A5EB
0045A5EA E8 E8100000 CALL 0045B6D7
0045A5EF 0047 65 Add byte PTR DS: [EDI 65], Al
0045A5F2 74 43 Je Short 0045A637
0045A5F4 6F OUTS DX, DWORD PTR ES: [EDI]; I / O Command
0045A5F5 6D INS DWORD PTR ES: [EDI], DX; I / O Command
0045A5F6 6D INS DWORD PTR ES: [EDI], DX; I / O Command
0045A5F7 61 POPAD
0045A5F8 6e Outs DX, BYTE PTR ES: [EDI]; I / O Command
0045A5F9 64: 4C Dec ESP; Superfluous Prefix
0045A5FB 696E 65 4100FF3> Imul EBP, DWORD PTR DS: [ESI 65], 36FF0041
0045A602 FF56 10 Call DWORD PTR DS: [ESI 10]
0045A605 8946 18 MOV DWORD PTR DS: [ESI 18], EAX; [468018] Save the address of getcommandlinea
0045A608 90 NOP
0045A609 90 NOP
0045A60A 90 NOP
0045A60B 90 NOP
0045A60C 90 NOP
0045A60D 90 NOP0045A60E 90 NOP
0045A60F 90 NOP
0045A610 90 NOP
0045A611 E8 0C000000 Call 0045A622; Get the address of CreateFilea
0045A616 43 Inc EBX
0045A617 72 65 JB Short 0045A67E
0045A619 61 POPAD
0045a61a 74 65 Je Short 0045A681
0045A61C 46 Inc ESI
0045A61D 696C65 41 00ff3> Imul EBP, DWORD PTR SS: [EBP 41], FF36FF00
0045A625 56 Push ESI
0045A626 1089 461C9090 ADC BYTE PTR DS: [ECX 90901C46], CL
......
0045A7E6 E8 11000000 Call 0045A7FC
0045A7EB 47 Inc EDI
0045A7EC 65:74 4D Je Short 0045A83C; Superfluous Prefix
0045A7EF 6F OUTS DX, DWORD PTR ES: [EDI]; I / O Command
0045A7F0 64:75 6C JNZ Short 0045A85F; Superfluous Prefix
0045A7F3 65:48 DEC EAX; Superfluous Prefix
0045A7F5 61 POPAD
0045A7F6 6E OUTS DX, BYTE PTR ES: [EDI]; I / O Command
0045A7F7 64: 6C INS BYTE PTR ES: [EDI], DX; I / O Command
0045A7F9 65:41 Inc ECX; Superfluous Prefix
0045A7FB 00ff Add Bh, BH
0045A7FD 36: FF56 10 Call DWORD PTR SS: [ESI 10]
0045A801 8946 50 MOV DWORD PTR DS: [ESI 50], EAX; last GetModuleHandlea
0045A804 90 NOP
0045A805 90 NOP
0045A806 90 NOP
0045A807 90 NOP
0045A808 90 NOP
0045A809 90 NOP
0045A80A 90 NOP0045A80B 90 NOP
0045A80C 90 NOP
0045A80D 90 NOP
0045A80E 0F31 RDTSC
0045A810 2B0424 SUB EAX, DWORD PTR SS: [ESP]; yet another detection mark
0045A813 83C4 04 Add ESP, 4
0045A816 3D fffff00 CMP Eax, 0FFFFF
0045A81B ^ 0f87 d0b8fffff ja 004560f1; if it is found, it is jumped, it is OVER.
0045A821. 56 Push ESI; ESI = 468000
When the shell is here, I have finished the API used by the whole shell, the details are as follows:
......
0045b1c9 8cc9 MOV CX, CS; start judgment whether the system is WK / XP
0045B1CB 32C9 XOR CL, CL
0045B1CD 83F9 00 CMP ECX, 0
0045B1D0 75 28 JNZ Short 0045B1FA; Jump if Win9X
0045B1D2 64: FF35 3000000> Push DWORD PTR FS: [30]
0045B1D9 58 POP EAX
0045B1DA 0fb648 02 MOVZX ECX, Byte Ptr DS: [EAX 2]; Take the value of TEB,
0045B1DE 884E 0C MOV BYTE PTR DS: [ESI C], CL
0045B1E1 8B40 0C MOV EAX, DWORD PTR DS: [EAX C]
0045B1E4 8B40 0C MOV EAX, DWORD PTR DS: [EAX C]
0045B1E7 8D58 20 LEA EBX, DWORD PTR DS: [EAX 20]
0045B1EA 8D48 18 LEA ECX, DWORD PTR DS: [EAX 18]
0045B1ED 8103 C8000000 Add DWORD PTR DS: [EBX], 0C8; Destroying PE Header
0045B1F3 B8 00000000 MOV EAX, 0
0045B1F8 0101 Add DWORD PTR DS: [ECX], EAX
0045b1fa 33c9 xor ECX, ECX
0045B1FC E8 00000000 CALL 0045B201
0045B201 5F POP EDI
0045B202 81C7 C1090000 Add EDI, 9C1
0045B208 0FB60439 MOVZX EAX, Byte PTR DS: [ECX EDI]; unlike the next paragraph from 45bbc2
0045B20C 83F0 11 xor Eax, 11; xor key 110045b20f 880439 MOV BYTE PTR DS: [ECX EDI], Al; restore
0045B212 41 Inc ECX
0045B213 81F9 521D0000 CMP ECX, 1D52; decompression code size 1D52
0045B219 ^ 72 ED JB Short 0045B208; If you don't decompress it, go back and continue
......
0045C569 0F31 RDTSC; also prepares an exception.
0045c56b 50 push eax
0045C56C E8 00000000 Call 0045c571; Install SEH
0045c571 810424 CA090000 Add DWORD PTR SS: [ESP], 9CA
0045c578 64: FF35 0000000> Push DWORD PTR FS: [0]
0045C57F 64: 8925 0000000> MOV DWORD PTR FS: [0], ESP; Abnormal Address 45CF3B
0045c586 33dB xor EBX, EBX
0045C588 8B1B MOV EBX, DWORD PTR DS: [EBX]
......
0045D8DF 8B4424 0C MOV Eax, DWORD PTR SS: [ESP C]
0045d8e3 33c9 xor ECX, ECX
0045D8E5 3348 04 xor ECX, DWORD PTR DS: [EAX 4]; again clear hardware breakpoint again
0045D8E8 3348 08 xor ECX, DWORD PTR DS: [EAX 8]
0045D8EB 3348 0C XOR ECX, DWORD PTR DS: [EAX C]
0045d8ee 3348 10 xor ECX, DWORD PTR DS: [EAX 10]
0045D8F1 8B6424 08 MOV ESP, DWORD PTR SS: [ESP 8]
0045D8F5 64: 8F05 0000000> POP DWORD PTR FS: [0]
0045D8FC 83C4 04 Add ESP, 4
0045D8FF 0F31 RDTSC
0045D901 2B0424 SUB EAX, DWORD PTR SS: [ESP]
0045D904 83C4 04 Add ESP, 4
0045d907 3D fffff00 CMP Eax, 0FFFFF; here must jump, another time difference to Anit Debug
0045d90c 76 06 Jbe Short 0045D914
0045d90e 5e POP ESI
0045D90F C646 0F 01 MOV BYTE PTR DS: [ESI F], 10045D913 56 PUSH ESI
......
0045DA75 5E POP ESI
0045DA76 884E 0D MOV BYTE PTR DS: [ESI D], CL
......
0045E420 E8 05000000 CALL 0045E42A
0045E425 25 73257300 and Eax, 732573; / debug string =% s% s
0045E42A FF56 14 Call DWORD PTR DS: [ESI 14]; / OutputStringA
Note: If you don't have the vulnerability of Patch OD, it's not coming.
......
0045EDD4 FF56 18 Call DWORD PTR DS: [ESI 18]; getcommandLinea Get the command line
0045EDD7 40 Inc EAX
0045EDD8 33c9 xor ECX, ECX
0045EDDA 41 INC ECX; Get the command line length, the value is saved in ECX
0045EDDB 803C01 00 CMP BYTE PTR DS: [ECX EAX], 0
0045eddf 74 0c Je Short 0045eded
0045ede1 803c01 22 CMP BYTE PTR DS: [ECX EAX], 22; Continue to go back if not end
0045EDE5 ^ 75 F3 jnz short 0045edda
0045EDE7 C60401 00 MOV BYTE PTR DS: [ECX EAX], 0
0045edeb ^ EB ED JMP Short 0045edda
0045EDED 6A 00 Push 0; / hTemplateFile = NULL
0045edef 6a 00 push 0; | attributes = 0
0045EDF1 6A 03 Push 3; | Mode = Open_EXISTING
0045edf3 6a 00 push 0; | psecurity = null
0045edf5 6a 00 push 0; | sharemode = 0
0045edf7 68 00000080 Push 80000000; | ACCESS = generic_read
0045edfc 50 push eax; | filename = "d: / [mslrh] .exe" 0045edfd ff56 1c call dword PTR DS: [ESI 1C]; / CREATEFILEA
0045EE00 90 NOP
Here is CreateFilea to make the IMP REC cannot open the file. Here you can patch
Push EAX
Call Closehandle
This way IMP REC can use
......
0045F7A7 837E 40 00 CMP DWORD PTR DS: [ESI 40], 0; Judgment Get The address of ZWQueryInformationProcess has successful
0045F7AB 74 24 JE SHORT 0045F7D1; no success, jump, so you can jump directly here.
0045F7AD FF56 24 CALL DWORD PTR DS: [ESI 24]; Otherwise get the ID getCurrentProcessID of the current process
0045F7B0 50 Push Eax; / Processid
0045f7b1 6a 00 push 0; | inheritable = false
0045f7b3 68 00040000 Push 400; | Access = query_information
0045F7B8 FF56 28 Call DWORD PTR DS: [ESI 28]; / OpenProcess Opens your own process
0045F7BB 8BDC MOV EBX, ESP; ESP = 12FFA4
0045f7bd 83eb 04 SUB EBX, 4
0045f7c0 6a 00 push 0
0045f7c2 6a 00 push 0; / preqSIze = null
0045F7C4 6A 04 Push 4; | bufsize = 4
0045f7c6 53 push ebx; | buffer = 0012FFA0
0045f7c7 6a 07 push 7; | infoClass = 7
0045f7c9 50 push eax; | HProcess
0045F7CA FF56 40 Call DWORD PTR DS: [ESI 40]; / ZWQueryInformationProcess
0045F7CD 58 POP EAX
0045F7CE 8846 0E MOV BYTE PTR DS: [ESI E], Al; Make a sign at [46800E], if you perform ZwQueryInformationProcess, set to FF
......
00460178 8cc9 MOV CX, CS
0046017A 32C9 XOR CL, CL
0046017C 83F9 00 CMP ECX, 0
0046017F 0F84 A1130000 JE 00461526; If the system is Win 2K / XP, jump, I use XP SP2 to debug, so of course I will jump.
00460185 8B46 38 MOV EAX, DWORD PTR DS: [ESI 38]
00460188 8078 01 4C CMP BYTE PTR DS: [EAX 1], 4C
0046018C 0F85 94130000 JNZ 00461526
00460192 E8 00000000 Call 00460197
00460197 810424 6e130000 Add DWORD PTR SS: [ESP], 136E
0046019E 59 POP ECX
0046019F 64: FF35 0000000> Push DWORD PTR FS: [0]
004601A6 8B46 38 MOV EAX, DWORD PTR DS: [ESI 38]
004601A9 8B40 0B MOV EAX, DWORD PTR DS: [EAX B]
004601ac 8908 MOV DWORD PTR DS: [EAX], ECX
......
00461ECD E8 00000000 Call 00461ed2
00461ed2 58 POP EAX
00461ED3 2D E2BD0000 SUB EAX, 0BDE2; EAX = 004560F0
00461ed8 B0 00 MOV Al, 0
00461eda 05 00200100 Add Eax, 12000; EAX = 00468000
00461edf 8BF0 MOV ESI, EAX
00461EE1 807E 0C 00 CMP BYTE PTR DS: [ESI C], 0; this doesn't know what effect :-(
00461EE5 74 51 Je Short 00461F38; Jumping here
00461EE7 6A 00 PUSH 0
00461EE9 FF56 50 Call DWORD PTR DS: [ESI 50]; getModuleHandlea
00461EEC 50 Push EAX
00461EED 8BD8 MOV EBX, EAX
00461EEF 8B40 3C MOV EAX, DWORD PTR DS: [EAX 3C]; Location PE header 00461ef2 03c3 Add Eax, EBX
00461EF4 8D98 00010000 LEA EBX, DWORD PTR DS: [EAX 100]
00461EFA 8B1B MOV EBX, DWORD PTR DS: [EBX]
00461EFC 58 POP EAX
00461EFD 03D8 Add EBX, EAX
00461EFF 05 00100000 Add Eax, 1000
00461F04 8BF8 MOV EDI, EAX
00461f06 81eb FF000000 SUB EBX, 0FF
00461F0C B9 10270000 MOV ECX, 2710
00461f11 0f31 RDTSC
00461F13 C1E8 18 SHR EAX, 18
00461F16 03F8 Add EDI, EAX
00461F18 3007 XOR BYTE PTR DS: [EDI], Al
00461F1A 3BFB CMP EDI, EBX
00461F1C 7D 03 JGE Short 00461F21
00461f1e 49 DEC ECX
00461f1f ^ 75 f0 jnz short 00461f11
00461f21 90 NOP
00461f22 90 NOP
00461f23 90 NOP
00461f24 90 NOP
00461f25 90 NOP
00461f26 90 NOP
00461f27 90 NOP
00461f28 90 NOP
00461f29 90 NOP
00461f2a 90 NOP
00461F2B 90 NOP
00461F2C 90 NOP
00461f2d 90 NOP
00461f2e 90 NOP
00461F2F 90 NOP
00461F30 90 NOP
00461f31 90 NOP
00461f32 90 NOP
00461F33 90 NOP
00461F34 90 NOP
00461F35 90 NOP
00461F36 90 NOP
00461F37 90 NOP
00461F38 807E 0D 00 CMP BYTE PTR DS: [ESI D], 0
00461f3c ^ 0f85 AF41FFFF JNZ 004560F1
00461F42 90 NOP
00461F43 90 NOP00461F44 90 NOP
00461F45 90 NOP
00461F46 90 NOP
00461F47 90 NOP
00461F48 90 NOP
00461F49 90 NOP
00461F4A 90 NOP
00461F4B 807E 0e 00 CMP BYTE PTR DS: [ESI E], 0
00461F4F ^ 0F85 9C41FFFF JNZ 004560F1
00461F55 90 NOP
00461f56 90 NOP
00461F57 90 NOP
00461f58 90 NOP
00461f59 90 NOP
00461F5A 90 NOP
00461F5B 90 NOP
00461F5C 90 NOP
00461F5D 90 NOP
00461f5e 90 NOP
00461F5F 90 NOP
00461F60 90 NOP
00461f61 90 NOP
00461F62 90 NOP
00461f63 90 NOP
00461F64 90 NOP
00461f65 90 NOP
00461f66 90 NOP
00461F67 90 NOP
00461f68 90 NOP
00461f69 90 NOP
00461F6A 90 NOP
00461f6b 90 NOP
00461F6C 807E 0F 00 CMP BYTE PTR DS: [ESI F], 0
00461f70 ^ 0f85 7b41ffffff jnz 004560f1
......
00461F8D E8 00000000 Call 00461f92; Here the CRC value is started, so we now put the previous code to go back.
00461F92 59 POP ECX
00461F93 90 NOP
00461F94 90 NOP
00461F95 90 NOP
00461F96 90 NOP
00461F97 90 NOP
00461F98 90 NOP
00461F99 90 NOP
00461F9A 90 NOP
00461F9B 90 NOP
00461F9C 90 NOP
00461F9D 83E9 05 SUB ECX, 5
00461FA0 90 NOP00461FA1 90 NOP
00461fa2 90 NOP
00461FA3 90 NOP
00461FA4 90 NOP
00461FA5 90 NOP
00461fa6 90 NOP
00461FA7 90 NOP
00461FA8 90 NOP
00461FA9 90 NOP
00461FAA 33DB XOR EBX, EBX
00461FAC 90 NOP
00461FAD 90 NOP
00461FAE 90 NOP
00461FAF 90 NOP
00461fb0 90 NOP
00461fb1 90 NOP
00461fb2 90 NOP
00461fb3 90 NOP
00461fb4 90 NOP
00461fb5 90 NOP
00461FB6 B8 9CBE0000 MOV EAX, 0BE9C
00461fbb 90 NOP
00461FBC 90 NOP
00461FBD 90 NOP
00461fbe 90 NOP
00461fbf 90 NOP
00461FC0 90 NOP
00461FC1 90 NOP
00461FC2 90 NOP
00461FC3 90 NOP
00461FC4 90 NOP
00461FC5 8BF9 MOV EDI, ECX
00461FC7 90 NOP
00461FC8 90 NOP
00461FC9 90 NOP
00461FCA 90 NOP
00461FCB 90 NOP
00461FCC 90 NOP
00461FCD 90 NOP
00461fce 90 NOP
00461FCF 90 NOP
00461fd0 90 NOP
00461FD1 2BF8 SUB EDI, EAX
00461FD3 90 NOP
00461fd4 90 NOP
00461FD5 90 NOP
00461fd6 90 NOP
00461FD7 90 NOP
00461fd8 90 NOP
00461FD9 90 NOP
00461FDA 90 NOP
00461FDB 90 NOP00461FDC 90 NOP
00461fdd 0fb607 Movzx Eax, Byte Ptr DS: [EDI]
00461FE0 90 NOP
00461FE1 90 NOP
00461FE2 90 NOP
00461FE3 90 NOP
00461FE4 90 NOP
00461FE5 90 NOP
00461FE6 90 NOP
00461FE7 90 NOP
00461FE8 90 NOP
00461FE9 90 NOP
00461FEA 03D8 Add EBX, EAX
00461FEC 90 NOP
00461FED 90 NOP
00461fee 90 NOP
00461FEF 90 NOP
00461FF0 90 NOP
00461FF1 90 NOP
00461FF2 90 NOP
00461FF3 90 NOP
00461FF4 90 NOP
00461FF5 90 NOP
00461FF6 47 Inc EDI
00461FF7 90 NOP
00461FF8 90 NOP
00461FF9 90 NOP
00461ffa 90 NOP
00461ffb 90 NOP
00461FFC 90 NOP
00461FFD 90 NOP
00461ffe 90 NOP
00461FFF 90 NOP
00462000 90 NOP
00462001 3BF9 CMP EDI, ECX
00462003 90 NOP
00462004 90 NOP
00462005 90 NOP
00462006 90 NOP
00462007 90 NOP
00462008 90 NOP
00462009 90 NOP
0046200A 90 NOP
0046200B 90 NOP
0046200C 90 NOP
0046200d ^ 72 CE JB Short 00461FDD
0046200F bf 00704400 MOV EDI, 00447000
00462014 B9 00BC0000 MOV ECX, 0BC00
00462019 90 NOP
0046201A 90 NOP0046201B 90 NOP
0046201C 90 NOP
0046201D 90 NOP
0046201E 90 NOP
0046201F 90 NOP
00462020 90 NOP
00462021 90 NOP
00462022 90 NOP
00462023 0fb607 Movzx Eax, Byte Ptr DS: [EDI]
00462026 90 NOP
00462027 90 NOP
00462028 90 NOP
00462029 90 NOP
0046202A 90 NOP
0046202B 90 NOP
0046202C 90 NOP
0046202D 90 NOP
0046202e 90 NOP
0046202F 90 NOP
00462030 02DF Add BL, BH
00462032 32DF XOR BL, BH
00462034 32C3 XOR Al, BL
00462036 90 NOP
00462037 90 NOP
00462038 90 NOP
00462039 90 NOP
0046203A 90 NOP
0046203B 90 NOP
0046203C 90 NOP
0046203D 90 NOP
0046203e 90 NOP
0046203F 90 NOP
00462040 8807 MOV BYTE PTR DS: [EDI], Al
00462042 90 NOP
00462043 90 NOP
00462044 90 NOP
00462045 90 NOP
00462046 90 NOP
00462047 90 NOP
00462048 90 NOP
00462049 90 NOP
0046204A 90 NOP
0046204B 90 NOP
0046204C 47 Inc EDI
0046204D 90 NOP
0046204e 90 NOP
0046204F 90 NOP
00462050 90 NOP
00462051 90 NOP
00462052 90 NOP
00462053 90 NOP00462054 90 NOP
00462055 90 NOP
00462056 90 NOP
00462057 49 DEC ECX
00462058 90 NOP
00462059 90 NOP
0046205A 90 NOP
0046205B 90 NOP
0046205c 90 NOP
0046205D 90 NOP
0046205E 90 NOP
0046205F 90 NOP
00462060 90 NOP
00462061 90 NOP
00462062 ^ 75 b5 jnz short 00462019
00462064 E8 00000000 Call 00462069
00462069 59 POP ECX
0046206A 2959 16 Sub DWORD PTR DS: [ECX 16], EBX
0046206D 61 POPAD
0046206e 60 pushad
0046206f be 00704400 MOV ESI, 00447000
00462074 8DBE 00A0FBFF LEA EDI, DWORD PTR DS: [ESI FFFBA000]
0046207A 57 Push EDI
0046207B 83CD FF or EBP, ffffffffF
0046207E 68 ADE29F00 PUSH 9FE2AD; if the CRC error will jump.
00462083 C3 RETN
......
Look up and see what is like?, UPX.
004528c0 / eb 10 JMP Short 004528D2
004528c2 | 90 NOP
004528c3 | 90 NOP
004528C4 | 90 NOP
004528c5 | 90 NOP
004528c6 | 90 NOP
004528c7 | 90 NOP
004528C8 | 8A06 MOV Al, Byte PTR DS: [ESI]
004528CA | 46 Inc ESI
004528cb | 8807 MOV BYTE PTR DS: [EDI], Al
004528CD | 47 Inc EDI
004528ce | 01dB Add EBX, EBX
004528D0 | 75 07 JNZ Short 004528D9
004528D2 / 8B1E MOV EBX, DWORD PTR DS: [ESI]
004528D4 83ee FC SUB ESI, -4
004528d7 11dB ADC EBX, EBX
004528d9 ^ 72 Ed JB Short 004528C8
004528db B8 01000000 MOV Eax, 1
004528E0 01dB Add EBX, EBX
004528E2 75 07 JNZ Short 004528EB
004528E4 8B1E MOV EBX, DWORD PTR DS: [ESI]
004528E6 83ee FC SUB ESI, -4
004528E9 11DB ADC EBX, EBX
004528eb 11c0 ADC EAX, EAX
004528ed 01dB Add EBX, EBX
004528EF 73 0B JNB Short 004528FC
004528f1 75 19 JNZ Short 0045290C
004528F3 8B1E MOV EBX, DWORD PTR DS: [ESI]
004528F5 83ee FC SUB ESI, -4
004528F8 11dB ADC EBX, EBX
004528fa 72 10 JB Short 0045290C
004528FC 48 DEC EAX
004528fd 01db Add EBX, EBX
004528FF 75 07 JNZ Short 00452908
00452901 8B1E MOV EBX, DWORD PTR DS: [ESI]
00452903 83ee FC SUB ESI, -4
00452906 11dB ADC EBX, EBX
00452908 11C0 ADC EAX, EAX
0045290a ^ EB D4 JMP Short 004528E0
0045290c 31c9 xor ECX, ECX
0045290e 83e8 03 SUB EAX, 3
00452911 72 11 JB Short 00452924
00452913 C1E0 08 SHL EAX, 8
00452916 8A06 MOV Al, Byte PTR DS: [ESI]
00452918 46 Inc ESI
00452919 83F0 FF xor Eax, fffffffff
0045291C 74 78 Je Short 00452996
0045291e D1F8 SAR EAX, 1
00452920 89C5 MOV EBP, EAX
00452922 EB 0B JMP SHORT 0045292F
00452924 01dB Add EBX, EBX
00452926 75 07 JNZ SHORT 0045292F
00452928 8B1E MOV EBX, DWORD PTR DS: [ESI]
0045292A 83ee FC SUB ESI, -4
0045292D 11dB ADC EBX, EBX
0045292F 11c9 ADC ECX, ECX00452931 01DB Add EBX, EBX
00452933 75 07 JNZ Short 0045293C
00452935 8B1E MOV EBX, DWORD PTR DS: [ESI]
00452937 83ee FC SUB ESI, -4
0045293A 11dB ADC EBX, EBX
0045293C 11c9 ADC ECX, ECX
0045293e 75 20 jnz short 00452960
00452940 41 INC ECX
00452941 01dB Add EBX, EBX
00452943 75 07 JNZ Short 0045294C
00452945 8B1E MOV EBX, DWORD PTR DS: [ESI]
00452947 83EE FC SUB ESI, -4
0045294A 11dB ADC EBX, EBX
0045294C 11c9 ADC ECX, ECX
0045294e 01dB Add EBX, EBX
00452950 ^ 73 EF jnb short 00452941
00452952 75 09 JNZ SHORT 0045295D
00452954 8B1E MOV EBX, DWORD PTR DS: [ESI]
00452956 83ee FC SUB ESI, -4
00452959 11dB ADC EBX, EBX
0045295B ^ 73 E4 JNB Short 00452941
0045295D 83C1 02 Add ECX, 2
00452960 81FD 00FBFFFF CMP EBP, -500
00452966 83D1 01 ADC ECX, 1
00452969 8D142F LEA EDX, DWORD PTR DS: [EDI EBP]
0045296C 83FD FC CMP EBP, -4
0045296F 76 0F Jbe Short 00452980
00452971 8A02 MOV Al, Byte PTR DS: [EDX]
00452973 42 Inc EDX
00452974 8807 MOV BYTE PTR DS: [EDI], Al
00452976 47 Inc EDI
00452977 49 DEC ECX
00452978 ^ 75 F7 jnz short 00452971
0045297A ^ E9 4FFFFFFFFFFFFFFFFFFFFFE 004528CE
0045297f 90 NOP
00452980 8B02 MOV EAX, DWORD PTR DS: [EDX]
00452982 83C2 04 Add EDX, 4
00452985 8907 MOV DWORD PTR DS: [EDI], EAX
00452987 83C7 04 Add EDI, 40045298A 83E9 04 SUB ECX, 4
0045298d ^ 77 f1 ja short 00452980
0045298f 01cf add edi, ECX
00452991 ^ E9 38ffffff jmp 004528CE
00452996 5e POP ESI
00452997 89F7 MOV EDI, ESI
00452999 B9 D5160000 MOV ECX, 16D5
0045299E 8A07 MOV AL, BYTE PTR DS: [EDI]
004529A0 47 INC EDI
004529A1 2C E8 SUB AL, 0E8
004529A3 3C 01 CMP AL, 1
004529A5 ^ 77 F7 Ja Short 0045299E
004529A7 803F 01 CMP BYTE PTR DS: [EDI], 1
004529AA ^ 75 F2 JNZ Short 0045299E
004529ac 8B07 MOV EAX, DWORD PTR DS: [EDI]
004529AE 8A5F 04 MOV BL, BYTE PTR DS: [EDI 4]
004529B1 66: C1E8 08 SHR AX, 8
004529B5 C1C0 10 ROL EAX, 10
004529B8 86C4 XCHG AH, Al
004529BA 29F8 SUB EAX, EDI
004529BC 80eb E8 SUB BL, 0E8
004529BF 01F0 Add Eax, ESI
004529C1 8907 MOV DWORD PTR DS: [EDI], EAX
004529C3 83C7 05 Add EDI, 5
004529C6 89D8 MOV EAX, EBX
004529c8 ^ E2 D9 LoOPD Short 004529A3
004529CA 8DBE 00000500 LEA EDI, DWORD PTR DS: [ESI 50000]
004529D0 8B07 MOV EAX, DWORD PTR DS: [EDI]
004529d2 09c0 or Eax, EAX
004529D4 74 3C JE SHORT 00452A12
004529D6 8B5F 04 MOV EBX, DWORD PTR DS: [EDI 4]
004529D9 8D8430 B0490500 LEA EAX, DWORD PTR DS: [EAX ESI 549B0]
004529E0 01F3 Add EBX, ESI
004529E2 50 Push EAX
004529E3 83C7 08 Add EDI, 8
004529E6 FF96 3C4A0500 CALL DWORD PTR DS: [ESI 54A3C]
004529EC 95 XCHG EAX, EBP004529ED 8A07 MOV Al, Byte Ptr DS: [EDI]
004529EF 47 Inc EDI
004529f0 08c0 or Al, Al
004529f2 ^ 74 DC JE SHORT 004529D0
004529F4 89F9 MOV ECX, EDI
004529f6 57 Push EDI
004529f7 48 DEC EAX
004529F8 F2: ae repne scas Byte PTR ES: [EDI]
004529fa 55 Push EBP
004529FB FF96 404A0500 CALL DWORD PTR DS: [ESI 54A40]
00452A01 09c0 or Eax, EAX
00452A03 74 07 JE SHORT 00452A0C
00452A05 8903 MOV DWORD PTR DS: [EBX], EAX
00452A07 83C3 04 Add EBX, 4
00452A0A ^ EB E1 JMP SHORT 004529ED
00452A0C FF96 444A0500 Call DWORD PTR DS: [ESI 54A44]]
00452A12 61 POPAD
00452A13 - E9 3E13FCFF JMP 00413D56
It's more to analyze it, it failed n times, I was more analyzed in an afternoon. Now I am very hungry, go home to go.
Explanation: Before going to "garbage" before going to "garbage", you will change it back. This will be repaired directly from the back to the code. RDTSC
Greetz:
Fly.jingulong, Yock, TDASM.David.hexer, Hmimys, Ahao.ufo (Brother) .aran (Sister) .all of my friends and you!
By LoveBoom [DFCG] [FCG] [US]
Email: loveboom # 163.com
Date: 2005-02-25 20:14
